TR Daily Industry Response to Commerce’s Supply Chain NPRM Generally Critical
News
Monday, January 13, 2020

Industry Response to Commerce’s Supply Chain NPRM Generally Critical

Industry participants have expressed concern about the Commerce Department’s proposals for determining when an information and communications technology and services (ICTS) supply chain transaction poses a security threat to the U.S., citing concerns that the specifics of the proposal don’t align well with the underlying goal, as well as the concerns about the lack of advisory guidance under the proposal and a potential for companies to use the process to gain competitive advantages. They have also urged a continued role for industry in the process, among other suggestions.

Parties were responding to a notice of proposed rulemaking (NPRM) (RIN 0605-AA51) issued by the Commerce Department last fall (TR Daily, Nov. 26, 2019) as part of its effort to implement an executive order (EO) by President Trump that declared a national emergency due to the threats from foreign adversaries to the ICT supply chain (TR Daily, May 15, 2019).

The NPRM states that the department intends to take “a case-by-case, fact-specific approach to determine those transactions that meet the requirements set forth in the executive order and are therefore prohibited or must be mitigated.” However, it also anticipates that “particular technologies or particular participants in the market for ICTS” could one day face a blanket prohibition. If the department “determines that it is appropriate to designate classes of transactions for categorical inclusion or exclusion, further guidance will be issued at that time,” the NPRM says.

Huawei Technologies Co., Ltd., which has filed a lawsuit challenging the FCC’s recent decision to bar the use of Universal Service Fund (USF) subsidies to purchase Huawei’s telecom equipment (TR Daily, Dec. 5, 2019), and Huawei Technologies USA, Inc., said, “Although Huawei agrees with the overall objective of ensuring the security of the ICTS supply chain, it notes that there are serious reasons to doubt that the Supply Chain EO is a valid exercise of the President’s authority and that the Proposed Rule is legally authorized. The Supply Chain EO and Proposed Rule would establish a broad new regulation of U.S. telecommunications markets that is not authorized by the Communications Act and is inconsistent with the policy objectives that the independent Federal Communications Commission was established to promote.”

Huawei added, “The Supply Chain EO and Proposed Rule also represent an unprecedented and unjustified expansion of the President’s emergency authority under the International Emergency Economic Powers Act (IEEPA). Moreover, any adjudicatory decision made pursuant to the Supply Chain EO and Proposed Rule that deprived a party of a protected liberty or property interest would require the Department to provide pre- and post-deprivation procedures mandated by the Administrative Procedure Act and the Due Process Clause.”

However, since these issues were not the subject of the NPRM, Huawei said it would focus on the issues raised by the NPRM “without otherwise waiving any rights.”

Huawei recommended that the department “focus on developing a holistic risk-management framework that embraces steps broadly accepted by industry, standards bodies, and experts, including those in other parts of the government ranging from this Department’s National Institute of Standards and Technology (NIST) to the Department of Homeland Security and Department of Defense. Such an approach, rather than a bar on specific participants, will best improve supply chain security.”

It added, “The goals of the Supply Chain EO would be best served by the U.S. government engaging collaboratively with industry participants—including telecom and mobile operators and equipment suppliers—to further discuss supply chain risk, mitigation steps, and potential standards and best practices. Huawei stands ready to join in that process. Huawei would welcome the opportunity for constructive discussions with the Department and the U.S. government more generally about supply chain security and steps Huawei has taken and would be willing to undertake to mitigate cybersecurity risks and promote transparency.”

The Rural Wireless Association said it “believes that while the newly proposed rules are well-intended, they are subject to uneven enforcement and portend likely unintended consequences that could disrupt how society and businesses—especially small businesses that cannot easily absorb financial losses associated with canceled transactions—function day-to-day. The proposed rules may even violate existing federal laws.”

Noting that the NPRM proposes that transaction evaluations could be initiated on the basis of information submitted by private parties, RWA said that it “is concerned that there is a lack of transparency with the private party option that could give rise to an increased opportunity for commercial entities to attack their marketplace competitors through this process. It is not far-fetched to imagine that if Company A and Company B are both marketplace competitors vying for the same customer or lucrative commercial contract, Company A may submit information to the Commerce Department that Company B is in violation of the proposed rules, and then in addition to that, disclose this information to news media outlets. While it is possible that the Commerce Department may not find the private party information ‘credible,’ the harm to Company B’s reputation or stock price, before any definitive statement is issued by the U.S. government, may be irreversible. The lack of transparency is disconcerting.”

RWA also found “problematic” the NPRM’s statement that the department would not issue advisory opinions or declaratory rulings with respect to any particular transaction, which it said would create “a chilling effect: U.S. companies will delay or abstain from new capital-intensive, technology-related projects because of a fear that key equipment or service vendors vital to the project may violate other sections of the proposed Title 15, Part 7. Alternatively, the Commerce Department should amend the proposed Section 7.7 as currently drafted so that it expressly allows for an advisory opinion process, even if it is a non-committal decision.”

RWA also argued that the proposed rule would create an unfunded federal mandate.

USTelecom recommended that the department “[c]ontinue partnering industry leaders and other agencies in order to promote supply chain security and leverage the expertise and institutional contributions of these public private partnerships.” Among its specific suggestions to achieve this, it said that the Communications Sector Coordinating Council, the IT-Sector Coordinating Council, other pertinent SCCs, and the ICT Supply Chain Risk Management Task Force (SCRM Task Force) “be formally notified of any preliminary determinations under proposed rule § 7.103 and should have the opportunity to provide input to the Department prior to a final determination. Such input should include analysis of the transaction’s pertinence to the risks identified in the DHS criticality assessment, without compromising confidentiality.”

USTelecom also urged the department to “[e]stablish a bright-line approach similar to the EAR’s [Export Administration Regulations’] ‘Entity List,’ relying on the DHS [Department of Homeland Security] risk assessment and related tools to draw lines between prohibited and permitted transactions.”

And it urged the Commerce Department to coordinate its “transaction evaluations formally with other agencies at every step and enhance the level and quality of such interagency coordination,” by providing formal written notice to the heads of agencies identified for consultation when initiating transaction evaluations, as well as by clarifying the procedure for receiving input.

The Satellite Industry Association said, “The NPRM does not sufficiently define the scope of transactions that are subject to case-by-case review. SIA encourages Commerce to seek additional comment on such issues [and] revise the NPRM to provide greater certainty to U.S. stakeholders regarding the scope of covered transactions.” In particular, it said that greater clarification is needed with respect to the definitions of “foreign adversary” and “interest.”

“As drafted, the NPRM does not provide clarity on the criteria that will be evaluated in determining whether a transaction poses an ‘undue risk’ or an ‘unacceptable risk.’ To avoid confusion, the rule should only use ‘unacceptable risk’ as this would seem the most fitting for national security related concerns,” SIA said.

It also raised process concerns, such as the lack of “clear parameters for determining whether a transaction should be evaluated.” Like RWA, SIA expressed concern about the lack of a process to obtain advisory guidance and about the possibility that private parties that submit information aimed at initiating an evaluation could act in “bad faith.”

The Internet Association said, “As currently drafted this proposed rule is overly broad and would adversely impact America’s digital economy. Accordingly, IA urges the Department of Commerce to revise the proposed rule with a focus on identifying concrete risks and narrowly defining terms to address those risks. The industry is committed to working with the Department of Commerce on ways to ensure national security objectives are met without unnecessarily undermining U.S. companies’ competitiveness.” The software developers trade association BSA said it has “significant concerns” that the NPRM “does not set forth a workable framework for securing the ICT supply chain. Under this proposal, the Secretary of Commerce (Secretary) would have unbounded discretion to review commercial ICT transactions, applying highly subjective criteria in an ad hoc and opaque process that lacks meaningful safeguards for companies.trfor comments, “particularly with respect to a rule with such vast legal scope and economic implications. Moreover, because this NPRM provides almost no specifics, industry cannot meaningfully comment on it. As such, we would ask that any further rulemaking is issued in the form of a detailed Supplemental Notice of Proposed Rulemaking (SNPRM) and provides industry with sufficient time to consult, review proposed changes and provide feedback.”

ITI also criticized the NPRM as overly broad and too encompassing in its scope, saying the proposed rule “is alarming and unnecessarily undermines all information and communications technology and services (ICTS) transactions with any nexus to the U.S. The NPRM as drafted is too broad to be practically implementable and goes well beyond that which is necessary to protect national security and prevent undue security risks to critical infrastructure supply chains. As a result, the NPRM unnecessarily casts a cloud of uncertainty over all ICTS transactions with any nexus to the United States, including those that present no or low risks to national security.”

It said the proposed rule is “too vague for companies to practically comply with, raising significant due process concerns.”

ITI also argued that the proposed rule “appears to be untethered from the requisite national security criteria in the EO, and thus ultimately won’t adequately address such risks. The EO empowers the Secretary of Commerce to block ICTS transactions only when such transactions involve a clear connection to a foreign adversary and pose unacceptable risks to national security or undue risks to critical infrastructure or the digital economy. However, the proposed Rule outlines a regulatory regime that appears to gloss over these fundamental threshold requirements.”

ITI said that the proposed rule “creates an unacceptable level of business uncertainty, threatening to undermine the competitiveness and technological leadership of U.S. companies.” —Lynn Stanton, [email protected]

MainStory: FederalNews Cybersecurity BroadbandDeployment WirelessDeployment

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More